package com.itany.corejava.code13_jdbc;

import java.sql.*;
import java.util.ArrayList;
import java.util.List;

/**
 * @author Miss Chen
 * @version 1.0
 * @date 2024年08月07日9:07
 */
public class Test02_SQL注入 {
    public static final String JDBC_URL="jdbc:mysql://127.0.0.1:3306/jdbc?useUnicode=true&characterEncoding=utf-8";
    public static void main(String[] args) {
        // select * from t_user where username='aa' or '1'='1' and password='bb' or '1'='1';
        List<User> users=login("aaaa' or '1'='1","bbb' or '1'='1");
        for(User user:users){
            System.out.println(user);
        }
    }
    public static List<User> login(String username, String password){

        Connection conn=null;
        Statement st=null;
        ResultSet rs=null;
        List<User> users=new ArrayList<>();
        try {
            // 1.注册驱动
            Class.forName("com.mysql.jdbc.Driver");
            // 2.获取连接
            conn= DriverManager.getConnection(JDBC_URL,"root","root");
            // 3.获取状态集
            st=conn.createStatement();
            //4.执行sql
            String sql="select * from t_user where username='"+username+"' and password='"+password+"'";

            //5.执行查询操作
            rs=st.executeQuery(sql);
            while(rs.next()){
                User user=new User();
                user.setId(rs.getInt("id"));
                user.setUsername(rs.getString("username"));
                user.setPassword(rs.getString("password"));
                user.setPhone(rs.getString("phone"));
                user.setAddress(rs.getString("address"));
                users.add(user);
            }
        } catch (ClassNotFoundException e) {
            e.printStackTrace();
        } catch (SQLException e) {
            e.printStackTrace();
        } finally {
        }
        return users;
    }
}
